﻿<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright (c) André N. Klingsheim. See NWebsec project website for license information. -->
<xs:schema id="httpheadersecuritymoduleconfigschema" attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://nwebsec.com/HttpHeaderSecurityModuleConfig.xsd" targetNamespace="http://nwebsec.com/HttpHeaderSecurityModuleConfig.xsd">
  <xs:simpleType name="simple_boolean">
    <xs:restriction base="xs:NMTOKEN">
      <xs:enumeration value="false" />
      <xs:enumeration value="true" />
    </xs:restriction>
  </xs:simpleType>
  <xs:simpleType name="XFrameOptionsEnumType">
    <xs:restriction base="xs:normalizedString">
      <xs:enumeration value="Deny">
        <xs:annotation>
          <xs:documentation>The X-Frame-Options header should be set in the HTTP response, instructing the browser to not display the page when it is loaded in an iframe.</xs:documentation>
        </xs:annotation>
      </xs:enumeration>
      <xs:enumeration value="SameOrigin">
        <xs:annotation>
          <xs:documentation>The X-Frame-Options header should be set in the HTTP response, instructing the browser to display the page when it is loaded in an iframe - but only if the iframe is from the same origin as the page.</xs:documentation>
        </xs:annotation>
      </xs:enumeration>
      <xs:enumeration value="Disabled">
        <xs:annotation>
          <xs:documentation>The X-Frame-Options header should not be set in the HTTP response.</xs:documentation>
        </xs:annotation>
      </xs:enumeration>
    </xs:restriction>
  </xs:simpleType>
  <xs:simpleType name="XXssProtection">
    <xs:restriction base="xs:normalizedString">
      <xs:enumeration value="FilterEnabled">
        <xs:annotation>
          <xs:documentation>The X-Xss-Protection header should be set in the HTTP response, explicitly enabling the IE XSS filter.</xs:documentation>
        </xs:annotation>
      </xs:enumeration>
      <xs:enumeration value="FilterDisabled">
        <xs:annotation>
          <xs:documentation>The X-Xss-Protection header should be set in the HTTP response, explicitly enabling the IE XSS filter.</xs:documentation>
        </xs:annotation>
      </xs:enumeration>
      <xs:enumeration value="Disabled">
        <xs:annotation>
          <xs:documentation>The X-Xss-Protection header should not be set in the HTTP response.</xs:documentation>
        </xs:annotation>
      </xs:enumeration>
    </xs:restriction>
  </xs:simpleType>
  <xs:element name="httpHeaderSecurityModule" >
    <xs:annotation>
      <xs:documentation>Configuration section for the NWebsec HttpHeaderSecurityModule</xs:documentation>
    </xs:annotation>
    <xs:complexType>
      <xs:all>
        <xs:element name="setNoCacheHttpHeaders" minOccurs="0" maxOccurs="1">
          <xs:annotation>
            <xs:documentation>Specifies whether appropriate headers to prevent browser caching should be set in the HTTP responses.</xs:documentation>
          </xs:annotation>
          <xs:complexType>
            <xs:attribute name="enabled" type="simple_boolean" use="required">
              <xs:annotation>
                <xs:documentation>This attribute is required.</xs:documentation>
              </xs:annotation>
            </xs:attribute>
          </xs:complexType>
        </xs:element>
        <xs:element name="x-Robots-Tag" minOccurs="0" maxOccurs="1">
          <xs:annotation>
            <xs:documentation>Specifies whether the X-Robots-Tag header should be set in the HTTP responses.</xs:documentation>
          </xs:annotation>
          <xs:complexType>
            <xs:attribute name="enabled" type="simple_boolean" use="required">
              <xs:annotation>
                <xs:documentation>This attribute is required.</xs:documentation>
              </xs:annotation>
            </xs:attribute>
            <xs:attribute name="noIndex" type="simple_boolean" use="optional">
              <xs:annotation>
                <xs:documentation>Instructs search engines to not index a page.</xs:documentation>
              </xs:annotation>
            </xs:attribute>
            <xs:attribute name="noFollow" type="simple_boolean" use="optional">
              <xs:annotation>
                <xs:documentation>Instructs search engines to not follow links on a page.</xs:documentation>
              </xs:annotation>
            </xs:attribute>
            <xs:attribute name="noSnippet" type="simple_boolean" use="optional">
              <xs:annotation>
                <xs:documentation>Instructs search engines to not display a snippet for a page in search results.</xs:documentation>
              </xs:annotation>
            </xs:attribute>
            <xs:attribute name="noArchive" type="simple_boolean" use="optional">
              <xs:annotation>
                <xs:documentation>Instructs search engines to not offer a cached version of a page in search results.</xs:documentation>
              </xs:annotation>
            </xs:attribute>
            <xs:attribute name="noOdp" type="simple_boolean" use="optional">
              <xs:annotation>
                <xs:documentation>Instructs search engines to not use information from the Open Directory Project (ODP) for a page's title or snippet.</xs:documentation>
              </xs:annotation>
            </xs:attribute>
            <xs:attribute name="noTranslate " type="simple_boolean" use="optional">
              <xs:annotation>
                <xs:documentation>Instructs search engines to not offer translation of a page in search results (Google only).</xs:documentation>
              </xs:annotation>
            </xs:attribute>
            <xs:attribute name="noImageIndex" type="simple_boolean" use="optional">
              <xs:annotation>
                <xs:documentation>Instructs search engines to not index images on the page (Google only).</xs:documentation>
              </xs:annotation>
            </xs:attribute>
          </xs:complexType>
        </xs:element>
        <xs:element name="redirectValidation" minOccurs="0" maxOccurs="1">
          <xs:annotation>
            <xs:documentation>
              Specifies whether to validate redirects in the application. Redirects to relative URIs and
              to the same scheme/host/port are allowed. Redirects to other destinations must be explicitly allowed through config.
            </xs:documentation>
          </xs:annotation>
          <xs:complexType>
            <xs:sequence minOccurs="0" maxOccurs="1">
              <xs:element name="allowSameHostRedirectsToHttps" minOccurs="0" maxOccurs="1">
                <xs:annotation>
                  <xs:documentation>Specifies whether redirects to HTTPS on the same host should be allowed.</xs:documentation>
                </xs:annotation>
                <xs:complexType>
                  <xs:attribute name="enabled" type="simple_boolean" use="required">
                    <xs:annotation>
                      <xs:documentation>This attribute is required.</xs:documentation>
                    </xs:annotation>
                  </xs:attribute>
                  <xs:attribute name="httpsPorts" type="xs:string" use="optional">
                    <xs:annotation>
                      <xs:documentation>Optional. Specifies allowed destination port(s) for redirects to HTTPS. The default HTTPS port (443) is assumed if no value is configured. Specify multiple ports through a comma-separated list.</xs:documentation>
                    </xs:annotation>
                  </xs:attribute>
                </xs:complexType>
              </xs:element>
              <xs:choice minOccurs="0" maxOccurs="unbounded">
                <xs:element name="add" type="RedirectUri"  />
                <xs:element name="remove" type="RedirectUri" />
                <xs:element name="clear"/>
              </xs:choice>
            </xs:sequence>
            <xs:attribute name="enabled" type="simple_boolean" use="required">
              <xs:annotation>
                <xs:documentation>This attribute is required.</xs:documentation>
              </xs:annotation>
            </xs:attribute>
          </xs:complexType>
        </xs:element>
        <xs:element name="securityHttpHeaders" minOccurs="0" maxOccurs="1">
          <xs:annotation>
            <xs:documentation>Configures various security HTTP headers.</xs:documentation>
          </xs:annotation>
          <xs:complexType>
            <xs:all>
              <xs:element name="x-Frame-Options" minOccurs="0" maxOccurs="1">
                <xs:annotation>
                  <xs:documentation>Specifies whether the X-Frame-Options security header should be set in the HTTP responses.</xs:documentation>
                </xs:annotation>
                <xs:complexType>
                  <xs:attribute name="policy" type="XFrameOptionsEnumType" use="required">
                    <xs:annotation>
                      <xs:documentation>This attribute is required.</xs:documentation>
                    </xs:annotation>
                  </xs:attribute>
                </xs:complexType>
              </xs:element>
              <xs:element name="strict-Transport-Security" minOccurs="0" maxOccurs="1">
                <xs:annotation>
                  <xs:documentation>Specifies whether the Strict-Transport-Security security header should be set in the HTTP responses.</xs:documentation>
                </xs:annotation>
                <xs:complexType>
                  <xs:attribute name="max-age" type="xs:string" use="required">
                    <xs:annotation>
                      <xs:documentation>This attribute is required. Specifies for how long the browser should enforce Strict Transport Security. Expects a TimeSpan string.</xs:documentation>
                    </xs:annotation>
                  </xs:attribute>
                  <xs:attribute name="includeSubdomains" type="simple_boolean" use="optional">
                    <xs:annotation>
                      <xs:documentation>Optional. Specifies whether Strict Transport Security also applies to subdomains. The default is false.</xs:documentation>
                    </xs:annotation>
                  </xs:attribute>
                  <xs:attribute name="preload" type="simple_boolean" use="optional">
                    <xs:annotation>
                      <xs:documentation>Optional. Enables the Preload directive in the HSTS header. MaxAge must be at least 18 weeks, and IncludeSubdomains must be enabled. The default is false.</xs:documentation>
                    </xs:annotation>
                  </xs:attribute>
                  <xs:attribute name="httpsOnly" type="simple_boolean" use="optional">
                    <xs:annotation>
                      <xs:documentation>Optional. Specifies that the HSTS header should be set for HTTPS requests only. The default is false.</xs:documentation>
                    </xs:annotation>
                  </xs:attribute>
                </xs:complexType>
              </xs:element>
              <xs:element name="x-Content-Type-Options" minOccurs="0" maxOccurs="1">
                <xs:annotation>
                  <xs:documentation>Specifies whether the X-Content-Type-Options security header should be set in the HTTP responses.</xs:documentation>
                </xs:annotation>
                <xs:complexType>
                  <xs:attribute name="enabled" type="simple_boolean" use="required">
                    <xs:annotation>
                      <xs:documentation>This attribute is required.</xs:documentation>
                    </xs:annotation>
                  </xs:attribute>
                </xs:complexType>
              </xs:element>
              <xs:element name="x-Download-Options" minOccurs="0" maxOccurs="1">
                <xs:annotation>
                  <xs:documentation>Specifies whether the X-Download-Options security header should be set in the HTTP responses.</xs:documentation>
                </xs:annotation>
                <xs:complexType>
                  <xs:attribute name="enabled" type="simple_boolean" use="required">
                    <xs:annotation>
                      <xs:documentation>This attribute is required.</xs:documentation>
                    </xs:annotation>
                  </xs:attribute>
                </xs:complexType>
              </xs:element>
              <xs:element name="x-XSS-Protection" minOccurs="0" maxOccurs="1">
                <xs:annotation>
                  <xs:documentation>Specifies whether the X-XSS-Protection security header should be set in the HTTP responses.</xs:documentation>
                </xs:annotation>
                <xs:complexType>
                  <xs:attribute name="policy" type="XXssProtection" use="required">
                    <xs:annotation>
                      <xs:documentation>This attribute is required.</xs:documentation>
                    </xs:annotation>
                  </xs:attribute>
                  <xs:attribute name="blockMode" type="simple_boolean" use="optional">
                    <xs:annotation>
                      <xs:documentation>Optional. Specifies whether to enable block mode. The default is true.</xs:documentation>
                    </xs:annotation>
                  </xs:attribute>
                </xs:complexType>
              </xs:element>
              <xs:element name="content-Security-Policy" minOccurs="0" maxOccurs="1">
                <xs:annotation>
                  <xs:documentation>Configures the Content-Security-Policy header.</xs:documentation>
                </xs:annotation>
                <xs:complexType>
                  <xs:group ref="cspElements" minOccurs="0" maxOccurs="1"/>
                  <xs:attribute name="enabled" type="simple_boolean" use="required">
                    <xs:annotation>
                      <xs:documentation>This attribute is required.</xs:documentation>
                    </xs:annotation>
                  </xs:attribute>
                  <xs:attribute name="x-Content-Security-Policy-Header" type="simple_boolean" use="optional">
                    <xs:annotation>
                      <xs:documentation>Optional. Specifies whether to also emit the X-Content-Security-Policy header. The default is false.</xs:documentation>
                    </xs:annotation>
                  </xs:attribute>
                  <xs:attribute name="x-WebKit-CSP-Header" type="simple_boolean" use="optional">
                    <xs:annotation>
                      <xs:documentation>Optional. Specifies whether to also emit the X-WebKit-CSP header. The default is false.</xs:documentation>
                    </xs:annotation>
                  </xs:attribute>
                </xs:complexType>
              </xs:element>
              <xs:element name="content-Security-Policy-Report-Only" minOccurs="0" maxOccurs="1">
                <xs:annotation>
                  <xs:documentation>Configures the Content-Security-Policy-Report-Only header.</xs:documentation>
                </xs:annotation>
                <xs:complexType>
                  <xs:group ref="cspElements" minOccurs="0" maxOccurs="1"/>
                  <xs:attribute name="enabled" type="simple_boolean" use="required">
                    <xs:annotation>
                      <xs:documentation>This attribute is required.</xs:documentation>
                    </xs:annotation>
                  </xs:attribute>
                  <xs:attribute name="x-Content-Security-Policy-Header" type="simple_boolean" use="optional">
                    <xs:annotation>
                      <xs:documentation>Optional. Specifies whether to also emit the X-Content-Security-Policy-Report-Only header. The default is false.</xs:documentation>
                    </xs:annotation>
                  </xs:attribute>
                  <xs:attribute name="x-WebKit-CSP-Header" type="simple_boolean" use="optional">
                    <xs:annotation>
                      <xs:documentation>Optional. Specifies whether to also emit the X-WebKit-CSP-Report-Only header. The default is false.</xs:documentation>
                    </xs:annotation>
                  </xs:attribute>
                </xs:complexType>
              </xs:element>
            </xs:all>
          </xs:complexType>
        </xs:element>
      </xs:all>
    </xs:complexType>
  </xs:element>
  <xs:complexType name="RedirectUri">
    <xs:attribute name="allowedDestination" type="xs:string" use="required">
      <xs:annotation>
        <xs:documentation>
          This attribute is required. Specifies a base URI for where redirects are allowed, redirects to sub paths of the URI are also allowed. The URI must include scheme,
          host and optionally port and a path. Example: https://www.nwebsec.com/somepath allows redirects to https://www.nwebsec.com/somepath and
          https://www.nwebsec.com/somepath/subpath but not https://www.nwebsec.com/
        </xs:documentation>
      </xs:annotation>
    </xs:attribute>
  </xs:complexType>
  <xs:complexType name="cspSource">
    <xs:attribute name="source" type="xs:string" use="required">
      <xs:annotation>
        <xs:documentation>
          This attribute is required. Specifies a source. Source examples are scheme only ("https:"), any host ("*"),
          a host ("*.nwebsec.com", "www.nwebsec.com", "https://www.nwebsec.com", "www.nwebsec.com:443", "https://www.nwebsec.com:*").
          See the Content Security Policy 1.0 standard for details.
        </xs:documentation>
      </xs:annotation>
    </xs:attribute>
  </xs:complexType>
  <xs:complexType name="cspReportUri">
    <xs:attribute name="report-uri" type="xs:string" use="required">
      <xs:annotation>
        <xs:documentation>This attribute is required. Specifies a report Uri. Report Uri's must be relative.</xs:documentation>
      </xs:annotation>
    </xs:attribute>
  </xs:complexType>
  <xs:complexType name="BaseCspElement">
    <xs:choice minOccurs="0" maxOccurs="unbounded">
      <xs:element name="add" type="cspSource" />
      <xs:element name="remove" type="cspSource" />
      <xs:element name="clear"/>
    </xs:choice>
    <xs:attributeGroup ref="BaseCspAttributes"/>
  </xs:complexType>
  <xs:complexType name="UnsafeInlineCspElement">
    <xs:complexContent>
      <xs:extension base="BaseCspElement">
        <xs:attribute name="unsafeInline" type="simple_boolean" use="optional">
          <xs:annotation>
            <xs:documentation>Optional. Specifies whether to include the 'unsafe-inline' source. The default is false.</xs:documentation>
          </xs:annotation>
        </xs:attribute>
      </xs:extension>
    </xs:complexContent>
  </xs:complexType>
  <xs:complexType name="UnsafeInlineUnsafeEvalCspElement">
    <xs:complexContent>
      <xs:extension base="UnsafeInlineCspElement">
        <xs:attribute name="unsafeEval" type="simple_boolean" use="optional">
          <xs:annotation>
            <xs:documentation>Optional. Specifies whether to include the 'unsafe-eval' source. The default is false.</xs:documentation>
          </xs:annotation>
        </xs:attribute>
      </xs:extension>
    </xs:complexContent>
  </xs:complexType>
  <xs:group name="cspElements">
    <xs:all>
      <xs:element name="default-src" minOccurs="0" maxOccurs="1" type="BaseCspElement">
        <xs:annotation>
          <xs:documentation>Configures the default-src CSP directive.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="script-src" minOccurs="0" maxOccurs="1" type="UnsafeInlineUnsafeEvalCspElement">
        <xs:annotation>
          <xs:documentation>Configures the script-src CSP directive.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="style-src" minOccurs="0" maxOccurs="1" type="UnsafeInlineCspElement">
        <xs:annotation>
          <xs:documentation>Configures the style-src CSP directive.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="object-src" minOccurs="0" maxOccurs="1" type="BaseCspElement">
        <xs:annotation>
          <xs:documentation>Configures the object-src CSP directive.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="img-src" minOccurs="0" maxOccurs="1" type="BaseCspElement">
        <xs:annotation>
          <xs:documentation>Configures the img-src CSP directive.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="media-src" minOccurs="0" maxOccurs="1" type="BaseCspElement">
        <xs:annotation>
          <xs:documentation>Configures the media-src CSP directive.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="frame-src" minOccurs="0" maxOccurs="1" type="BaseCspElement">
        <xs:annotation>
          <xs:documentation>Configures the frame-src CSP directive.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="font-src" minOccurs="0" maxOccurs="1" type="BaseCspElement">
        <xs:annotation>
          <xs:documentation>Configures the font-src CSP directive.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="connect-src" minOccurs="0" maxOccurs="1" type="BaseCspElement">
        <xs:annotation>
          <xs:documentation>Configures the connect-src CSP directive.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="frame-ancestors" minOccurs="0" maxOccurs="1" type="BaseCspElement">
        <xs:annotation>
          <xs:documentation>Configures the frame-ancestors CSP directive.</xs:documentation>
        </xs:annotation>
      </xs:element>
      <xs:element name="report-uri" minOccurs="0" maxOccurs="1">
        <xs:annotation>
          <xs:documentation>Configures the report-uri CSP directive.</xs:documentation>
        </xs:annotation>
        <xs:complexType>
          <xs:choice minOccurs="0" maxOccurs="unbounded">
            <xs:element name="add" type="cspReportUri" />
            <xs:element name="remove" type="cspReportUri" />
            <xs:element name="clear"/>
          </xs:choice>
          <xs:attribute name="enableBuiltinHandler" type="simple_boolean" use="optional">
            <xs:annotation>
              <xs:documentation>Optional. Specifies whether to enable the built in CSP report handler. The default is false.</xs:documentation>
            </xs:annotation>
          </xs:attribute>
          <xs:attribute name="enabled" type="simple_boolean" use="optional">
            <xs:annotation>
              <xs:documentation>Optional. Specifies whether to enable the report-uri directive. The default is true.</xs:documentation>
            </xs:annotation>
          </xs:attribute>
        </xs:complexType>
      </xs:element>
    </xs:all>
  </xs:group>
  <xs:attributeGroup name="BaseCspAttributes">
    <xs:attribute name="self" type="simple_boolean" use="optional">
      <xs:annotation>
        <xs:documentation>Optional. Specifies whether to include the 'self' source. The default is false.</xs:documentation>
      </xs:annotation>
    </xs:attribute>
    <xs:attribute name="none" type="simple_boolean" use="optional">
      <xs:annotation>
        <xs:documentation>Optional. Specifies whether to include the 'none' source. The default is false.</xs:documentation>
      </xs:annotation>
    </xs:attribute>
    <xs:attribute name="enabled" type="simple_boolean" use="optional">
      <xs:annotation>
        <xs:documentation>Optional. Specifies whether to enable the source directive. The default is true.</xs:documentation>
      </xs:annotation>
    </xs:attribute>
  </xs:attributeGroup>
</xs:schema>